In server 2008, it’s quite easy to attach a task to an event. In EventViewer, simply right-click on the event and choose Attach Task to This Event. This is fine and dandy but sometimes, we want a little more granular control over when to actually fire the task; e.g., I typically want to only notify myself via email of failed RDP logons, not ALL failed logons.
It’s a little more complicated to get only the events you want based on some details inside the actual event – the Event Data.
Note: In Server 2008 the EventID for a Successful Logon is 4624 and for a Failed Logon is 4625. There are multiple Logon Types and you can reference them at this link from MSDN and adapt this guide to your liking. Look at the Logon Type section specifically.
These are the two XPath filters I’ll be working with and I will show you how to create 2 tasks based on 2 separate events:
1. Failed RDP Logon
2. Successful RDP Logon
XML for Failed RDP Logon
Note: After doing some testing, it seems that LogonType 10 isn’t working for notification but LogonType 3 is. I’m still looking at why this is the case since this is RDP logon I’m testing.
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4625)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select>
XML for Successful RDP Logon
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType'] and (Data=10)]]</Select>
1. Failed RDP Logon Task Setup
Launch Event Viewer (Start -> eventvwr.msc [ENTER])
Right Click “Security” event log and choose “Attach Task to this Log”
Give the task a meaningful name
Click Next on this screen
Choose an action to perform when our event is triggered. In this guide I’m going to be sending an email notification to myself so I chose ‘Send an e-mail.’
Fill in the details for the e-mail action settings portion of the wizard.
Make sure to check ‘Open the properties dialog…’ so that we can customize this action when we click finish.
Check to make sure you have this action set to run even if a user is not logged on and also that it is set to run at highest privilege level.
On the ‘Triggers’ tab, highlight the trigger and click ‘Edit’
Check ‘Custom’ then click ‘New Event Filter’
Click on the ‘XML’ tab and check ‘Edit query manually’
Paste in the Failed RDP Logon code from up above into this box. Of course you can substitute the eventid or the logontype if you know what you want in there already. =)
Click OK to close this dialog
Click ‘Ok’ again to close the properties for this task action
When you clicked ok, you may be prompted to enter the credentials of the user that will be running this task. Enter your credentials and click OK. (Typically the system administrator credentials)
Congrats, you just setup an email notification task when RDP logon fails.
2. Successful RDP Logon
Repeat all the steps from 1. Failed RDP Logon, simply replacing the XML EventID with 4624.
Manage Event Viewer Tasks
You can see all your Event Viewer Tasks by launching Task Scheduler (Start -> taskschd.msc [ENTER]) and choosing the Event Viewer Tasks folder.
Event Viewer Tasks
Hopefully this helps anyone out there that has been wondering how to do this. Got any more tips? Let me know.
I’d be interested to know if you can specify variables in the email output – like other XPath variables that could be set or something. Maybe even a specific event tag so that instead of directly emailing, you could write a short script that runs and will get the full details (Event Data) of the event and then embed it in an email.
I have found (Oh, glorious Google: Ref 1, Ref 2) how to reference Event Data in the emails. This makes me excited and now I’m cooking up commands also for dynamically adding IPs to RDP firewall for this case.
So, to be able to reference a variable from the Event Data, you need to add a ValueQueries element (MSDN link) to your Task. The easiest way to do this is to export your task as XML and open it with notepad to edit it. First, let’s look at some of the data options available to use as variables. To get these, I like to find an event in the event viewer and look at the XML and look at the Data elements.
Friendly view of an event showing the data types
Let’s go back to what I was wanting to do originally – notify via email when a failed RDP logon occurs. Now, I not only want to just send myself an email but I want to include some extra information. In this case, I want to include the IpAddress as well as the TargetUserName. This will tell me which IP address the logon came from as well as what user name the remote system tried to use. Awesome!
So, fire up task scheduler (Start -> taskschd.msc [ENTER]) and navigate to the event viewer tasks item in the left pane. Then, right-click the task we created earlier (Failed RDP Logon) and choose Export.
Save it somewhere convenient and then right-click and choose Edit (or open with notepad).
We need to add a ValueQueries element in the EventTrigger element.
You will want to add the ValueQueries element in the EventTrigger element. Of course if you aren’t following what I’m doing, change them to something you’d rather see from your own available event data values.
Now that we have setup the variables, let’s add them to our email message. This can be done from in this exported task easily. Scroll to the bottom and look for the following block of code:
In that, modify your Body element to reflect your variables. Note: Variables are CAsE-SenSiTive!
So in conclusion there are some really cool “tricks” we can do here to help monitor our systems. Another cool thing would be to, instead of email notification, simply take the $(IpAddress) and pass it to a command such as, say,:
netsh advfirewall firewall add rule name="Block $(IpAddress) - Bad Dude" dir=in protocol=any action=block remoteip=$(IpAddress)
Now, how cool would that be? =)